Lync Server 2010 Control Panel "Insufficient access rights to perform the operation"
I've implemented a Lync Server with a few hiccups along the way, but all services are running now. When I login to the control panel to add users, for anyone in the Administrators group, I'm getting the following eerror when I try to enable them.
Active Directory operations failed on "my.server.com". You cannot retry this operation: "Insufficient access rights to perform the operation 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0"
I've tried giving Administrator rights to the user CSAdministrator and RTCUniversalSystemAdmins, but still get the same result.
September 14th, 2010 6:09pm
The problem is a known and common issue with Domain Administrators or Enterprise Administrators. It is the recommendation that a user have a elevated priviledge account that they use only when necessary and an everyday use account. But you can
still get this to work with an account that is a domain admin:
If you turn Advanced Features on in AD Users and Computers, locate the user that is a domain admin, select the security tab, click advanced and select "Include Inheritable Permissions from this object's parent" on the user object you then be able to
add them for Lync.
Check this out for an explaination of the issue:
http://msexchangeteam.com/archive/2009/09/23/452595.aspx
While the link I have provided you is for ActiveSync and Exchange Server 2010, the same resolution applies
Mark
September 14th, 2010 6:20pm
That did it. Thanks for your help and also for the blog. I'm sure a few people will ask this again :)
-
Proposed as answer by
AndyK47
Sunday, August 18, 2013 6:22 PM
September 14th, 2010 7:03pm
The problem is a known and common issue with Domain Administrators or Enterprise Administrators. It is the recommendation that a user have a elevated priviledge account that they use only when necessary and an everyday use account. But you can
still get this to work with an account that is a domain admin:
If you turn Advanced Features on in AD Users and Computers, locate the user that is a domain admin, select the security tab, click advanced and select "Include Inheritable Permissions from this object's parent" on the user object you then be able to
add them for Lync.
Check this out for an explaination of the issue:
http://msexchangeteam.com/archive/2009/09/23/452595.aspx
While the link I have provided you is for ActiveSync and Exchange Server 2010, the same resolution applies
September 20th, 2010 4:42pm
OK this didnt work for me is there anything else that it could be?
September 21st, 2010 8:08pm
Hi ... i have the same problem above suggestion did not work for me either
October 21st, 2010 5:04am
We figured out our situation and it was indeed the dreaded AdminSDHolder value. Accounts that did not have elevated rights had this value because at some point in time (before people got smart and started creating separate accounts) those accounts
had elevated rights for some reason. Until that is fixed they will be more difficult to administer.
-
Proposed as answer by
sham4n
Monday, May 21, 2012 6:30 AM
December 14th, 2010 6:30pm
simple cmdlet is your solution
Enable-CsUser -Identity “Administrator” -RegistrarPool your.domain.name -SipAddressType EmailAddress
-
Proposed as answer by
Raul12
Sunday, January 08, 2012 7:08 PM
January 18th, 2011 7:58pm
http://www.unplugthepbx.com/Lists/Posts/Post.aspx?ID=31
do i need to do it for each and every user? can i crerate a group and add the users in that group and allow them with inheting the permission. By doing it , would it impact any permission changes on the AD file level permissions etc.
thanks in advance.
January 24th, 2011 8:26pm
I also have described error. I can move(edit users via power shell, but that is not ok, because our administrators want to configure users via gui. That's why I have to fix this error. I am getting error on all users (all users are members of different
groups, but not domain or enterprise admins). For example, they are members of DOmain users or print operators-builtin groups.
I created dummy user, which is not member of any group. In that case, editing is working. But that is not a solution, because our users have to be in groups.
Attached is error I am getting when I try to edit user (which is not member os domain or enterprise admin).
Any idea how to solve problem will be appreciated.
Regards
March 11th, 2011 11:15am
Hello,
I have tried all that is suggested previously but nothing works for me. Is there another solution to this? I'm running my Lync Server on a Hyper-V guest and have install and uninstalled several times but still no luck. Can someone assist me? I am in dire
need of help and is just banging my head in the wall with no solution.
Thank You
April 8th, 2011 5:57am
Same issue here. It happens to me with users that are not domain admins
'
May 5th, 2011 6:08pm
Hi,
i also have this problem but a bit different like when i apply the settings and try it works only one time; and if i try to add another(2nd/3rd etc) user then it doesn't works. Any help will be grateful.
Thanks
June 20th, 2011 10:26pm
Ashraf,
For Domain admins & enterprise admins "Include
Inheritable Permissions" permissions reverts back to the original setting after some time..So
you need to again enable "Include Inheritable Permissions" tab for Domain
Administrators or Enterprise Administrators for lync.
http://www.mytricks.in/2011/08/microsoft-lync-2010-insufficient-access.html
August 3rd, 2011 8:00am
I'm having the same problem for FIM syncronized Lync contacts. any idea?
February 21st, 2012 4:41pm
Thank you! it work for me!
Regards!
October 24th, 2013 6:43pm
This is pretty annoying, it seems to do it for the "print operators" group too, i suspect it might do it for any built in group that has more perms than "users"
January 8th, 2015 10:51pm
Ta - fixed it pronto :)
February 20th, 2015 7:53am